DevHeads.net

New 2.4 configuration, need sanity and security check

Hello,

I'm doing a config rewrite. I'm using apache 2.4. If someone who does
security could give my setup a check from a security perspective i'd
appreciate it.

I'm also wondering in particular about my cache setup and virtual
hosts. There's a lot of repeated lines.

Config at the end of this message, rather long.

Much appreciation.

Thanks.
Dave.

# httpd.conf

#
# Httpd minimalistic configuration
#

ServerRoot "/usr/local"
Listen xxx.xxx.xxx.xxx:80
# Loadable modules
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
#LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
LoadModule file_cache_module libexec/apache24/mod_file_cache.so
LoadModule cache_module libexec/apache24/mod_cache.so
LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule socache_dc_module libexec/apache24/mod_socache_dc.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
#LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
#LoadModule logio_module libexec/apache24/mod_logio.so
#LoadModule lua_module libexec/apache24/mod_lua.so
LoadModule env_module libexec/apache24/mod_env.so
LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
#LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
#LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
#LoadModule lbmethod_byrequests_module
libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module
libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
#LoadModule dav_module libexec/apache24/mod_dav.so
#LoadModule status_module libexec/apache24/mod_status.so
#LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
#LoadModule suexec_module libexec/apache24/mod_suexec.so
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
#LoadModule security2_module libexec/apache24/mod_security2.so
#LoadModule perl_module libexec/apache24/mod_perl.so
#LoadModule evasive20_module libexec/apache24/mod_evasive20.so
LoadModule geoip_module libexec/apache24/mod_geoip.so
LoadModule h264_streaming_module libexec/apache24/mod_h264_streaming.so
LoadModule php5_module libexec/apache24/libphp5.so

User www
Group www
ServerAdmin <a href="mailto: ... at example dot com"> ... at example dot com</a>
ServerName <a href="http://www.example.com:80" title="www.example.com:80">www.example.com:80</a>
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/usr/local/www/apache24/xxxxxxxxx"
<Directory "/usr/local/www/apache24/xxx">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
DirectoryIndex index.html index.htm index.pl
<Files ".ht*">
Require all denied
</Files>
ErrorLog "/var/log/httpd-error.log"
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "/var/log/httpd-access.log" common
<IfModule headers_module>
# Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
# backend servers which have lingering "httpoxy" defects.
# 'Proxy' request header is undefined by the IETF, not listed by IANA
RequestHeader unset Proxy early
</IfModule>
TypesConfig etc/apache24/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# MIME-types for downloading Certificates and CRLs
AddType application/x-x509-cacert .crt
AddType application/x-pkcs7-crl .crl
# Mime types for HTML 5 audio and videos
AddType audio/aac .aac
AddType audio/mp4 .mp4 .m4a
AddType audio/mpeg .mp1 .mp2 .mp3 .mpg .mpeg
AddType audio/ogg .oga .ogg
AddType audio/wav .wav
AddType audio/webm .webm
AddType video/mp4 .mp4 .m4v
AddType video/ogg .ogv
AddType video/webm .webm
MIMEMagicFile etc/apache24/magic

# Include server default values
Include etc/apache24/extra/httpd-default.conf

# Include mpm values
Include etc/apache24/extra/httpd-mpm.conf

# Secure (SSL/TLS) connections
Include etc/apache24/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

# Some security settings
Include etc/apache24/extra/httpd-security.conf
Include etc/apache24/Includes/*.conf
# For mod security
#Include /usr/local/etc/modsecurity/*.conf
# Load the base Owasp rules
#Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf

#
# Mod deflate settings
#
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
text/javascript application/javascript
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|rar|zip|pdf)$ no-gzip dont-v
Header append Vary User-Agent

AcceptFilter http none
AcceptFilter https none

# GeoIP
GeoIPEnable On
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
GeoIPScanProxyHeaders On

# Cache setup
CacheRoot /usr/local/www/proxy
CacheDirLevels 2
CacheDirLength 1

# for acme challenges
<Directory "/usr/local/www/.well-known/">
Options None
AllowOverride None
Require all granted
Header add Content-Type text/plain
</Directory>

# httpd-default.conf

#
# This configuration file reflects default settings for Apache HTTP Server.
#
# You may change these, but chances are that you may not need to.
#

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 60

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive Off

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5

#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client. When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName On

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature Off

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., <a href="http://www.apache.org" title="www.apache.org">www.apache.org</a> (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

#
# Set a timeout for how long the client may take to send the request header
# and body.
# The default for the headers is header=20-40,MinRate=500, which means wait
# for the first byte of headers for 20 seconds. If some data arrives,
# increase the timeout corresponding to a data rate of 500 bytes/s, but not
# above 40 seconds.
# The default for the request body is body=20,MinRate=500, which is the same
# but has no upper limit for the timeout.
# To disable, set to header=0 body=0
#
<IfModule reqtimeout_module>
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>

# httpd-mpm.conf
#
# Server-Pool Management (MPM specific)
#

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
# Note that this is the default PidFile for most MPMs.
#
<IfModule !mpm_netware_module>
PidFile "/var/run/httpd.pid"
</IfModule>

#
# Only one of the below sections will be relevant on your
# installed httpd. Use "apachectl -l" to find out the
# active mpm.
#

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxRequestWorkers: maximum number of server processes allowed to start
# MaxConnectionsPerChild: maximum number of connections a server process serves
# before terminating
<IfModule mpm_prefork_module>
StartServers 8
MinSpareServers 40
MaxSpareServers 80
MaxClients 200
MaxRequestsPerChild 9000
#MaxRequestWorkers 250
#MaxConnectionsPerChild 12000
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of worker threads
# MaxConnectionsPerChild: maximum number of connections a server process serves
# before terminating
<IfModule mpm_worker_module>
StartServers 3
MinSpareThreads 75
MaxSpareThreads 250
ThreadsPerChild 25
MaxRequestWorkers 400
MaxConnectionsPerChild 0
</IfModule>

# event MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of worker threads
# MaxConnectionsPerChild: maximum number of connections a server process serves
# before terminating
<IfModule mpm_event_module>
StartServers 4
MinSpareThreads 30
MaxSpareThreads 100
ThreadsPerChild 50
MaxRequestWorkers 200
MaxConnectionsPerChild 6000
</IfModule>

# NetWare MPM
# ThreadStackSize: Stack size allocated for each worker thread
# StartThreads: Number of worker threads launched at server startup
# MinSpareThreads: Minimum number of idle threads, to handle request spikes
# MaxSpareThreads: Maximum number of idle threads
# MaxThreads: Maximum number of worker threads alive at the same time
# MaxConnectionsPerChild: Maximum number of connections a thread serves. It
# is recommended that the default value of 0 be set
# for this directive on NetWare. This will allow the
# thread to continue to service requests indefinitely.
<IfModule mpm_netware_module>
ThreadStackSize 65536
StartThreads 250
MinSpareThreads 25
MaxSpareThreads 250
MaxThreads 1000
MaxConnectionsPerChild 0
</IfModule>

# OS/2 MPM
# StartServers: Number of server processes to maintain
# MinSpareThreads: Minimum number of idle threads per process,
# to handle request spikes
# MaxSpareThreads: Maximum number of idle threads per process
# MaxConnectionsPerChild: Maximum number of connections per server process
<IfModule mpm_mpmt_os2_module>
StartServers 2
MinSpareThreads 5
MaxSpareThreads 10
MaxConnectionsPerChild 0
</IfModule>

# WinNT MPM
# ThreadsPerChild: constant number of worker threads in the server process
# MaxConnectionsPerChild: maximum number of connections a server process serves
<IfModule mpm_winnt_module>
ThreadsPerChild 150
MaxConnectionsPerChild 0
</IfModule>

# The maximum number of free Kbytes that every allocator is allowed
# to hold without calling free(). In threaded MPMs, every thread has its own
# allocator. When not set, or when set to zero, the threshold will be set to
# unlimited.
<IfModule !mpm_netware_module>
MaxMemFree 2048
</IfModule>
<IfModule mpm_netware_module>
MaxMemFree 100
</IfModule>

# httpd-ssl.conf
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
listen 66.228.47.34:443
#Listen [2600:3c03:0:0:f03c:91ff:fedf:6fc]:443

# OCSP Stapling settings
SSLUseStapling On
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLStaplingResponderTimeout 15
SSLStaplingReturnResponderErrors off
SSLStaplingStandardCacheTimeout 3600

# For modern configuration
# <a href="https://mozilla.github.io/server-side-tls/ssl-config-generator/" title="https://mozilla.github.io/server-side-tls/ssl-config-generator/">https://mozilla.github.io/server-side-tls/ssl-config-generator/</a>
# 04/14/17:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256@STRENGTH
SSLHonorCipherOrder On
#SSLProtocol all -SSLv2 -SSLv3
# Enable PFS
#SSLHonorCipherOrder On
#SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS@STRENGTH
#SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
#SSSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
#
# <a href="https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html" title="https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html">https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html</a>
SSLCompression Off
SSLSessionTickets Off
# Strong dh parameters file
SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"

# For temporary legacy intermediate clients
#SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#SSLHonorCipherOrder on
#SSLCompression off
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300

<VirtualHost _default_:443>
DocumentRoot "/usr/local/www/apache24/sslvhost"
ServerName <a href="http://www.davemehler.com:443" title="www.davemehler.com:443">www.davemehler.com:443</a>
ServerAdmin <a href="mailto: ... at davemehler dot com"> ... at davemehler dot com</a>
ErrorLog "/var/log/http-ssl-error.log"
TransferLog "/var/log/httpd-ssl-access.log"
SSLEngine on
SSLCertificateFile "/etc/ssl/certs/server.crt"
SSLCertificateKeyFile "/etc/ssl/private/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/local/www/apache24/sslvhost>
Require all granted
Options FollowSymLinks
AllowOverRide none
</Directory>
<Directory "/usr/local/www/apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
#BrowserMatch "MSIE [2-5]" \
#nokeepalive ssl-unclean-shutdown \
#downgrade-1.0 force-response-1.0
CustomLog "/var/log/httpd-ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#Alias /mail "/usr/local/www/roundcube/"
#Alias /awstats/icon "/usr/local/www/awstats/icon/"
#Alias /awstatsicon "/usr/local/www/awstats/icon/"
#ScriptAlias /awstats "/usr/local/www/awstats/cgi-bin/"
</VirtualHost>

# httpd-security.conf
<IfModule mod_headers.c>
Header unset ETag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header set X-XSS-Protection "1; mode=block"
Header append Referrer-Policy: no-referrer-when-downgrade
Header always unset "X-Powered-By"
Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>
# Remove server identification header
<ifModule ModSecurity.c>
SecServerSignature ''
</ifModule>

FileETag None
TraceEnable off

# Deploy Content Security Policy CSP
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
Header set X-Content-Type-Options nosniff
# Originally set to deny
#Header set X-Frame-Options DENY
Header set X-Frame-Options SAMEORIGIN
</IfModule>

# mod_evasive module
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify <a href="mailto: ... at davemehler dot com"> ... at davemehler dot com</a>
DOSWhitelist 127.0.0.1
DOSSystemCommand '/sbin/pfctl -t evasive -T add %s'
</IfModule>

vhosts.conf
#
# Virtual host file
#

# The example.com http virtual host
<VirtualHost *:80>
ServerName example.com
RewriteEngine On
RewriteRule ^/?(.*) http://www.example.com/$1 [R,L]
</VirtualHost>
<VirtualHost *:80>
ServerAdmin <a href="mailto: ... at example dot com"> ... at example dot com</a>
DocumentRoot "/usr/vhosts/example.com/htdocs/"
ServerName <a href="http://www.example.com" title="www.example.com">www.example.com</a>
ServerAlias <a href="http://www.example.com" title="www.example.com">www.example.com</a>

ErrorDocument 404 /errordocs/error404.htm
# share well-known for renewal via Let's Encrypt!
Alias /.well-known/ /usr/local/www/.well-known/

# Anything that isn't going to example.com/.well-known gets
forwarded to the https site
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteRule (.*) https://www.example.com/$1 [R=301,L]

ErrorLog "/usr/vhosts/example.com/logs/error.log"
<Directory "/usr/vhosts/example.com/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
</Directory>
<IfModule mod_log_config.c>
CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/example.com/logs/access.log-%Y-%m-%d.log 86400" combined
</IfModule>

# Disc cache setup
CacheQuickHandler off
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
CacheIgnoreHeaders Set-Cookie
<Location />
CacheEnable disk
CacheHeader on
CacheDefaultExpire 600
CacheMaxExpire 86400
CacheLastModifiedFactor 0.5
ExpiresActive on
ExpiresDefault "access plus 5 minutes"
Header merge Cache-Control public
FileETag All
</Location>
</VirtualHost>

# The test.example.com http virtual host
<VirtualHost *:80>
ServerAdmin <a href="mailto: ... at example dot com"> ... at example dot com</a>
DocumentRoot "/usr/vhosts/test.example.com/htdocs/"
ServerName test.example.com
ServerAlias test.example.com

ErrorDocument 404 /errordocs/error404.htm
# share well-known for renewal via Let's Encrypt!
Alias /.well-known/ /usr/local/www/.well-known/

# Anything that isn't going to test.example.com/.well-known gets
forwarded to the https site
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteRule (.*) https://test.example.com/$1 [R=301,L]

ErrorLog "/usr/vhosts/test.example.com/logs/error.log"
<Directory "/usr/vhosts/test.example.com/htdocs/">
# mod_authn_core and mod_auth_basic configuration
# for mod_authn_dbd
#AuthType Basic
#AuthName "Restricted Access"

# To cache credentials, put socache ahead of dbd here
#AuthBasicProvider socache dbd

# Also required for caching: tell the cache to cache dbd lookups!
#AuthnCacheProvideFor dbd
#AuthnCacheContext my-server

# mod_authn_dbd SQL query to authenticate a user
#AuthDBDUserPWQuery "SELECT passwd FROM mysql_auth WHERE username = %s"

# mod_authz_core configuration
#<RequireAll>
#Require group alpha beta testgroup
#Require dbd-group team
#Require not group reject
#<RequireAny>
#Require valid-user
#</RequireAny>
#<RequireNone>
#Require group temps
#</RequireNone>
#</RequireAll>
#Require group testgroup
#Require dbd-group testgroup
#Require valid-user

# mod_authz_dbd configuration
#AuthzDBDQuery "SELECT groups FROM mysql_auth WHERE username = '%s'"
#AuthzSendForbiddenOnFailure On
Options FollowSymLinks
AllowOverRide None
Require all granted
</Directory>
<IfModule mod_log_config.c>
CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/test.example.com/logs/access.log-%Y-%m-%d.log 86400"
combined
</IfModule>

# Disc cache setup
CacheQuickHandler off
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
CacheIgnoreHeaders Set-Cookie
<Location />
CacheEnable disk
CacheHeader on
CacheDefaultExpire 600
CacheMaxExpire 86400
CacheLastModifiedFactor 0.5
ExpiresActive on
ExpiresDefault "access plus 5 minutes"
Header merge Cache-Control public
FileETag All
</Location>
</VirtualHost>

# The example.net http virtual host
<VirtualHost *:80>
ServerName example.net
RewriteEngine On
RewriteRule ^/?(.*) http://www.example.net/$1 [R,L]
</VirtualHost>
<VirtualHost *:80>
ServerAdmin <a href="mailto: ... at example dot net"> ... at example dot net</a>
DocumentRoot "/usr/vhosts/example.net/htdocs/"
ServerName <a href="http://www.example.net" title="www.example.net">www.example.net</a>
ServerAlias <a href="http://www.example.net" title="www.example.net">www.example.net</a>

ErrorDocument 404 /errordocs/error404.htm
# share well-known for renewal via Let's Encrypt!
Alias /.well-known/ /usr/local/www/.well-known/

# Anything that isn't going to example.net/.well-known gets
forwarded to the https site
# RewriteEngine on
# RewriteCond %{REQUEST_URI} !^/.well-known
# RewriteRule (.*) https://www.example.com/$1 [R=301,L]

ErrorLog "/usr/vhosts/example.net/logs/error.log"
<Directory "/usr/vhosts/example.net/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
</Directory>
<IfModule mod_log_config.c>
CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/example.net/logs/access.log-%Y-%m-%d.log 86400" combined
</IfModule>

# Disc cache setup
CacheQuickHandler off
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
CacheIgnoreHeaders Set-Cookie
<Location />
CacheEnable disk
CacheHeader on
CacheDefaultExpire 600
CacheMaxExpire 86400
CacheLastModifiedFactor 0.5
ExpiresActive on
ExpiresDefault "access plus 5 minutes"
Header merge Cache-Control public
FileETag All
</Location>
</VirtualHost>

# The example.org http virtual host
<VirtualHost *:80>
ServerName example.org
RewriteEngine On
RewriteRule ^/?(.*) http://www.example.org/$1 [R,L]
</VirtualHost>
<VirtualHost *:80>
ServerAdmin <a href="mailto: ... at example dot org"> ... at example dot org</a>
DocumentRoot "/usr/vhosts/example.org/htdocs/"
ServerName <a href="http://www.example.org" title="www.example.org">www.example.org</a>
ServerAlias <a href="http://www.example.org" title="www.example.org">www.example.org</a>

ErrorDocument 404 /errordocs/error404.htm
# share well-known for renewal via Let's Encrypt!
Alias /.well-known/ /usr/local/www/.well-known/

# Anything that isn't going to example.org/.well-known gets
forwarded to the https site
# RewriteEngine on
# RewriteCond %{REQUEST_URI} !^/.well-known
# RewriteRule (.*) https://www.example.com/$1 [R=301,L]

ErrorLog "/usr/vhosts/example.org/logs/error.log"
<Directory "/usr/vhosts/example.org/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
</Directory>
<IfModule mod_log_config.c>
CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/example.org/logs/access.log-%Y-%m-%d.log 86400" combined
</IfModule>

# Disc cache setup
CacheQuickHandler off
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
CacheIgnoreHeaders Set-Cookie
<Location />
CacheEnable disk
CacheHeader on
CacheDefaultExpire 600
CacheMaxExpire 86400
CacheLastModifiedFactor 0.5
ExpiresActive on
ExpiresDefault "access plus 5 minutes"
Header merge Cache-Control public
FileETag All
</Location>
</VirtualHost>

# The webmail.example.com http virtual host
<VirtualHost *:80>
ServerAdmin <a href="mailto: ... at example dot com"> ... at example dot com</a>
DocumentRoot "/usr/vhosts/webmail.example.com/htdocs/"
ServerName webmail.example.com
ServerAlias webmail.example.com

ErrorDocument 404 /errordocs/error404.htm
# share well-known for renewal via Let's Encrypt!
Alias /.well-known/ /usr/local/www/.well-known/

# Anything that isn't going to webmail.example.com/.well-known
gets forwarded to the https site
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteRule (.*) https://webmail.example.com/$1 [R=301,L]

ErrorLog "/usr/vhosts/webmail.example.com/logs/error.log"
<Directory "/usr/vhosts/webmail.example.com/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
</Directory>
<IfModule mod_log_config.c>
CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/webmail.example.com/logs/access.log-%Y-%m-%d.log 86400"
combined
</IfModule>

# Disc cache setup
CacheQuickHandler off
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
CacheIgnoreHeaders Set-Cookie
<Location />
CacheEnable disk
CacheHeader on
CacheDefaultExpire 600
CacheMaxExpire 86400
CacheLastModifiedFactor 0.5
ExpiresActive on
ExpiresDefault "access plus 5 minutes"
Header merge Cache-Control public
FileETag All
</Location>
</VirtualHost>

# The webmail.example.org http virtual host
<VirtualHost *:80>
ServerAdmin <a href="mailto: ... at example dot org"> ... at example dot org</a>
DocumentRoot "/usr/vhosts/webmail.example.org/htdocs/"
ServerName webmail.example.org
ServerAlias webmail.example.org

ErrorDocument 404 /errordocs/error404.htm
# share well-known for renewal via Let's Encrypt!
Alias /.well-known/ /usr/local/www/.well-known/

# Anything that isn't going to webmail.example.org/.well-known
gets forwarded to the https site
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteRule (.*) https://webmail.example.org/$1 [R=301,L]

ErrorLog "/usr/vhosts/webmail.example.org/logs/error.log"
<Directory "/usr/vhosts/webmail.example.org/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
</Directory>
<IfModule mod_log_config.c>
CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/webmail.example.org/logs/access.log-%Y-%m-%d.log 86400"
combined
</IfModule>

# Disc cache setup
CacheQuickHandler off
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
CacheIgnoreHeaders Set-Cookie
<Location />
CacheEnable disk
CacheHeader on
CacheDefaultExpire 600
CacheMaxExpire 86400
CacheLastModifiedFactor 0.5
ExpiresActive on
ExpiresDefault "access plus 5 minutes"
Header merge Cache-Control public
FileETag All
</Location>
</VirtualHost>

Comments

Re: New 2.4 configuration, need sanity and securit

By Frank Gingras at 06/17/2017 - 23:11

On 16/06/17 10:53 PM, David Mehler wrote:
No one will parse your entire httpd.conf out of their free time.

Instead, I recommend starting with
<a href="http://httpd.apache.org/docs/current/upgrading.html" title="http://httpd.apache.org/docs/current/upgrading.html">http://httpd.apache.org/docs/current/upgrading.html</a>

Then you can focus on specific problems.